cyberno-ir/elk-stack-log.yml

## elk-stack-log.yml
- type: filestream
  id: cyberno-products
  enabled: true
  paths:
    - /var/log/syslog
  processors:
    - drop_event:
        when:
          not.contains:
            message: "User_Email"
    - dissect:
        tokenizer: "%{} %{} %{} %{} [%{} %{}] WARNING in logs: User_Email: %{email} User_IP: %{ip} User_Agent: %{useragent} Log: %{log} Extra: %{extra}"
        field: "message"
        target_prefix: "cyberno"
    - decode_json_fields:
        fields: ["cyberno.extra"]
        process_array: true
        max_depth: 1
        target: ""
        overwrite_keys: true
        add_error_key: true
	- type: filestream
	id: cyberno-products
	enabled: true
	paths:
	- /var/log/syslog
	processors:
	- drop_event:
	when:
	not.contains:
	message: "User_Email"
	- dissect:
	tokenizer: "%{} %{} %{} %{} [%{} %{}] WARNING in logs: User_Email: %{email} User_IP: %{ip} User_Agent: %{useragent} Log: %{log} Extra: %{extra}"
	field: "message"
	target_prefix: "cyberno"
	- decode_json_fields:
	fields: ["cyberno.extra"]
	process_array: true
	max_depth: 1
	target: ""
	overwrite_keys: true
	add_error_key: true